Lawsuit filed in ADAP data breach

Following a data breach that compromised the medical records of 93 HIV-positive people in California in November 2016, Lambda Legal Defense and Education Fund this month filed a class action lawsuit in San Francisco Superior Court against A.J. Boggs & Company, which at the time held the AIDS Drugs Assistance Program contract with the California Department of Public Health.

A.J. Boggs, a private company based in Michigan, was awarded a contract by CDPH in July 2016 to oversee the state's ADAP online enrollment system. ADAP, part of the Ryan White HIV/AIDS Treatment Extension Act of 2009, provides life-saving medication to low-income people living with HIV who have limited or no health care coverage and are not eligible for Medi-Cal.

Lambda Legal attorneys claim A.J. Boggs did not do enough beta testing before rolling out the new online enrollment system, also known as a portal. Prior to the system going public, the Los Angeles County Department of Health voiced its concern over the lack of testing and vetting of the online portal, as did various nonprofit HIV/AIDS service organizations in the California HIV Alliance, including the San Francisco AIDS Foundation.

"[A.J. Boggs] should have been much more aware of the possibility of a breach than they were," said Scott Schoettes, an attorney and HIV project director at Lambda Legal. "There were numerous warnings and concern over the insufficient testing of the online enrollment system. They did not pay enough attention to protecting this information."

A.J. Boggs CEO Clarke Anderson declined to comment to the Bay Area Reporter saying, "We have not yet received the filed complaint and therefore cannot comment at this time."

Schoettes spoke about the impact the breach had on the 93 low-income victims, saying it is yet another barrier to health care to already vulnerable communities including LGBT, women, and people of color.

"The people in this lawsuit already face discrimination and stigma around their identities in the system," he said. "This violation of their trust is another barrier to care. The important thing about this lawsuit is for people to realize how important it is to protect the information of people living with HIV."

In California, approximately 30,000 people are enrolled in ADAP, according to a Lambda Legal news release. The enrollment process requires people to provide sensitive information, including detailed medical records that contain their HIV status, which under state law requires complete confidentiality.

One of the plaintiffs, identified in court papers under the pseudonym Alan Doe, said in the Lambda Legal news release, "I need these medications to live, and I could only afford them through ADAP. That doesn't mean, however, that I want everyone to know my HIV status. That's for me to decide, and A.J. Boggs took that choice away from me."

The complaint filed by Lambda Legal alleges A.J. Boggs became aware of the breach in November 2016, at which point it took the portal offline. In February 2017, the state health department discovered that unknown individuals accessed the ADAP system and downloaded the private medical information of 93 people. The state department canceled its contract with A.J. Boggs in March 2017 and now oversees the enrollment system.

Courtney Mulhern-Pearson, director of state and local policy at SFAF, told the B.A.R in a phone interview there had been issues with ADAP since A.J. Boggs first took control, including patients' difficulty receiving medicine and being denied care. ADAP has since been running sufficiently, Mulhern-Pearson said.

"Since they moved the ADAP portal back into CDPH, it's much more secure," she said. "We have not heard of any security complaints since last March."

She also said A.J. Boggs' process for getting the online portal up and running was "rushed." The breach set back the state's PrEP Assistance Program for uninsured people by a year. That program aims to expand access to PrEP for uninsured people.

Historically, the state has contracted with private vendors to administer the ADAP program. As previously reported by the B.A.R, the CDPH previously contracted with Ramsell, a pharmaceutical company, and then split its contract into three contracts: Magellan Rx Management and Pool Administrators Inc., which along with Boggs, were the new contractors. The state had split up the contract in an effort to get better prices, spokespeople said.

However, Ramsell is suing the state over losing its contract. In court documents, the Oakland-based company alleges that its bid had been "$9 million lower than Boggs.'"In their response, state officials admitted that "Boggs' proposal resulted in a higher cost (by $9 million) over three years compared to Ramsell's."

Lambda Legal is seeking to have the lawsuit certified as a class action, and is seeking statutory and compensatory damages. It is suing over the violation of California's medical privacy laws, including the California AIDS Public Health Records Confidentiality Act and the California Confidentiality of Medical Information Act.